23.5 About chroot Jails

23.5.1 Running DNS and FTP Services in a Chroot Jail
23.5.2 Creating a Chroot Jail
23.5.3 Using a Chroot Jail

A chroot operation changes the apparent root directory for a running process and its children. It allows you to run a program with a root directory other than /. The program cannot see or access files outside the designated directory tree. Such an artificial root directory is called a chroot jail, and its purpose is to limit the directory access of a potential attacker. The chroot jail locks down a given process and any user ID that it is using so that all they see is the directory in which the process is running. To the process, it appears that the directory in which it is running is the root directory.

Note

The chroot mechanism cannot defend against intentional tampering or low-level access to system devices by privileged users. For example, a chroot root user could create device nodes and mount file systems on them. A program can also break out of a chroot jail if it can gain root privilege and use chroot() to change its current working directory to the real root directory. For this reason, you should ensure that a chroot jail does not contain any setuid or setgid executables that are owned by root.

For a chroot process to be able to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.

23.5.1 Running DNS and FTP Services in a Chroot Jail

If the DNS name service daemon (named) runs in a chroot jail, any hacker that enters your system via a BIND exploit is isolated to the files under the chroot jail directory. Installing the bind-chroot package creates the /var/named/chroot directory, which becomes the chroot jail for all BIND files.

You can configure the vsftpd FTP server to automatically start chroot jails for clients. By default, anonymous users are placed in a chroot jail. However, local users that access an vsftpd FTP server are placed in their home directory. Specify the chroot_local_user=YES option in the /etc/vsftpd/vsftpd.conf file to place local users in a chroot jail based on their home directory.

23.5.2 Creating a Chroot Jail

To create a chroot jail:

  1. Create the directory that will become the root directory of the chroot jail, for example:

    # mkdir /home/oracle/jail

  2. Use the ldd command to find out which libraries are required by the command that you intend to run in the chroot jail, for example /bin/bash:

    # ldd /bin/bash
    	linux-vdso.so.1 =>  (0x00007fff56fcc000)
    	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000)
    	libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000)
    	libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000)
    	/lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)

  3. Create subdirectories of the chroot jail's root directory that have the same relative paths as the command binary and its required libraries have to the real root directory, for example:

    # mkdir /home/oracle/jail/bin
    # mkdir /home/oracle/jail/lib64

  4. Copy the binary and the shared libraries to the directories under the chroot jail's root directory, for example:

    # cp /bin/bash /home/oracle/jail/bin
    # cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
      /home/oracle/jail/lib64

23.5.3 Using a Chroot Jail

To run a command in a chroot jail in an existing directory (chroot_jail), use the following command:

# chroot chroot_jail command

If you do not specify a command argument, chroot runs the value of the SHELL environment variable or /bin/sh if SHELL is not set.

For example, to run /bin/bash in a chroot jail (having previously set it up as described in Section 23.5.2, “Creating a Chroot Jail”):

# chroot /home/oracle/jail
bash-4.1# pwd
/
bash-4.1# ls
bash: ls: command not found
bash-4.1# exit
exit
#

You can run built-in shell commands such as pwd in this shell, but not other commands unless you have copied their binaries and any required shared libraries to the chroot jail.

For more information, see the chroot(1) manual page.